Bamboozled: Why bar codes on your driver’s license matter

When Elisabeth Hall visited a doctor earlier this year, the office manager wanted to make a copy of her driver’s license.

“I willingly showed him my driver’s license but asked him to not make a copy,” Hall said. “I explained that by viewing it, he could confirm my identity from the picture, but I didn’t want a copy of my license made a part of their office records. It contains info which can be used for identity theft and they don’t need it.”

The manager insisted. Hall stuck to her guns, and asked to speak to the doctor. But the doctor refused to come out, and the manager said Hall wouldn’t be treated unless they made a copy of her license.

Hall left and found a different doctor.

Hall’s husband Kenneth thought she made a smart choice.

“In the case of seniors like me, the doctor already has the Social Security number as it appears on the Medicare card, but they demand the driver’s license as well?” Kenneth Hall said. “They have a right to view it to be sure the picture matches the presenter, but banks and doctors regularly insist on making a ‘Xerox’ copy.”

Indeed, driver’s licenses have personal information that could be used for nefarious purposes if the info falls into the wrong hands.

And if a paper copy isn’t bad enough, some businesses purchase scanners that allow the user to swipe a license, giving the swiper a digital record of your personal information.

Anyone can buy these scanners.

And anyone with a smart phone can download an app that can perform the same scan.

So exactly what can be found on your license’s two bar codes?

“The information that appears on the front of the document is on the bar code to allow law enforcement to verify the license quickly and accurately,” MVC spokeswoman Mairin Bellack said in an email.

We asked about the second bar code — the vertical one on the back of your license — but MVC wouldn’t only say it’s for “internal MVC inventory control use.”

“N.J.’s driver’s license is a secure document with many security features,” Bellack said. “The more information that is given out, the less secure the document becomes.”

Okay.

We asked MVC about the scanners.

“It is not realistic for the MVC to ‘guess’ what the technology of scanners that may be ‘on the market’ are capable of reading,” Bellack said. “The MVC does not utilize license scanners and does not provide any type of assistance for their development.”

Okay again.

“It is no surprise that the MVC is being close-lipped on the data captured on the bar codes,” said Adam Levin, former head of the state’s Division of Consumer Affairs and author of “Swiped: What Identity Thieves Do—And How to Stop Them.” “Even if the information is being used for internal purposes, consumers have a right to know.”

To hopefully learn more, we submitted an Open Public Records Act for specifics about what’s on the bar codes. We’ll let you know what we learn.

We then tried to get answers for another Bamboozled reader who had concerns about MVC’s use of Social Security numbers.

“License and registration renewals in New Jersey still require [a Social Security number],” reader Howard Fischer said. “Why does the NJMVC need Social Security numbers? Can that entry be left blank without repercussions?”

We asked MVC what happens if a Jersey driver refuses to provide a Social Security number, even if the Social Security number is already in the MVC system.

Bellack said the submission of Social Security numbers is required by law.

“The number will be used to prevent errors, enforce federal and state laws and assist in the collection of motor vehicle fees,” the MVC spokeswoman said.

That didn’t answer the question of what happens to a driver who refuses. So we asked again.

And we got the same non-answer answer given above.
MORE ON THE BAR CODES

Back to those bar codes.

While New Jersey’s licenses have lots of protection features, exactly what third parties do with scanned information is iffy.

The federal Driver Privacy Protection Act (DPPA) prohibits the disclosure of personal information without the express consent of the license holder, with certain exceptions, said Mitch Feather of Creative Associates, a Madison-based cybersecurity and infrastructure consulting firm.

Part of the law allows swiping “for use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal information.”

For example, Feather said, business that sell alcohol or tobacco may use license information for age verification. Those who swipe will make sure the birth date on the front of the license hasn’t been tampered with and matches the information on the bar code.

“It is not illegal for businesses to scan your license in order to verify your age or check for fraud, but they are not supposed to collect and market this data,” Levin said.

A couple of states have banned the storage of swiped information — called warehousing — except in certain circumstances. New Jersey is not one of them.

In 2011, New Jersey introduced the Enhanced Drivers License (EDL) to comply with a different federal law that mandates that states create more stringent ID cards, Feather said. Like other states’ EDLs, New Jersey’s has a number of security features – some obvious and some not so obvious.

“So as to not be self-defeating, New Jersey will – understandably – not fully disclose all of the security features,” Mitchell said.

The two bar codes are a feature of the EDL. The strip along the short edge of the license is a called a one-dimensional bar code, or 1D bar code, Feather said. The strip along the long edge of the driver’s license is called a two-dimensional bar code, or 2D.

Feather said the 2D bar code is the one that holds the same information as the front of your license. What’s on the 1D bar code is unknown.

As one point of solace for protection-concerned citizens, New Jersey does not include Social Security numbers in the 2D bar code, Feather said.
PROTECT YOURSELF

This all means that means consumers are left with the responsibility of checking up on what every company that asks for a swipe does with the information.

We did a little checking.

Pharmacies are required by law to scan your license for certain sales.

“The only time we scan is when anyone purchases a pseudoephedrine product, which is a precursor ingredient for the making of meth and is required by law,” said Mike DeAngelis, a spokesman for CVS/pharmacy.

He said the scan is connected to a database called MethCheck, which runs the bar code on the back of a state-issued identification to make sure the buyer hasn’t purchased more than the allowable maximum, which is 9 grams in a 30-day period.

CVS/pharmacy said it doesn’t store the information, but simply gets a ping back from the database with a “yes” or “no” for the customer to make the purchase.

Rite Aid does the same kind of scan, but it said it does collect the information.

We asked how the info is stored, and a spokeswoman said, “Because of the confidential and proprietary nature of this information, we are unable to disclose specifics, but the information is securely stored and maintained.”

Other businesses require a license scan when a consumer makes a return.

Bamboozled took a look at that a few years ago, and we found it’s part of a system used by many retailers to track “serial returners.” You know, customers who purchase stuff, use it temporarily and then try to return the item.

“Stores like Target, Best Buy and Victoria’s Secret scan customers’ driver’s licenses stating that it is part of their return policy to prevent fraudulent returns and to create customer `return profiles,'” Levin said. “Unfortunately, it doesn’t stop there. The information that is captured from the magnetic strip is collected and stored in their databases.”

He said retailers should not have a “secret database” that stores your customer information without your consent, calling it a “violation of your privacy.”

We reached out to Best Buy, Victoria’s Secret and Walmart to ask: Do they store the scanned information? How do they keep it secure? Who has access to it? Exactly what information are they getting from the scan?

None of the companies responded.

What’s the big secret?

As a consumer, ask questions, and be cautious.

Feather said when merchants ask to scan his license for what he’d consider a less-than-obvious reason, he questions them about why they need it before turning it over.

If you do, be prepared for some interesting responses and consequences, he said, such as retailers who turn you away.

Levin said consumers must be vigilant and discerning in handing over their licenses and allowing them to be swiped.

“Since New Jersey has a policy against allowing drivers to smile and/or show teeth on drivers license pictures in order to prevent fraud, why should you have to grin and bear it when it comes to having your personal data swiped at local stores?” he said. “If it is not absolutely required, just say `no.'”

Big Brother is watching, for sure. And we’re not sure we have a complaint about that. What we do have a problem with is when the watchers aren’t being forthright and transparent about when they scan, why they scan, what information they get from the scan and how they secure that information.

Have you been Bamboozled? Reach Karin Price Mueller at Bamboozled@NJAdvanceMedia.com. Follow her on Twitter @KPMueller. Find Bamboozled on Facebook. Mueller is also the founder of NJMoneyHelp.com.